(c) ACM, 2017. This is the author's version of the work. It is posted here by permission of ACM for your personal use. Not for redistribution. The definitive version was published in ACM Symposium on SDN Research , 2017-04-03.

{Network Function Virtualization (NFV) promises a cloud-computing-like
shared platform packet processing functions that is able to service
traffic at increasingly growing line rates. However, existing NFV
platforms that run network functions inside VMs or containers can
provide either performance (by dedicating CPU cores) or multiplexing
(by context switching), but not both at once. Modular packet
processing frameworks that avoid context
switching by replacing VMs and containers with function calls to
packet processing functions are an intriguing way to achieve both
multiplexing and performance at the same time. However, they
compromise memory isolation between tenants by forcing them to use a
shared memory address space.
In this paper, we show that an operating
system-like management layer for module-based network functions that
co-reside in a single process can provide all the properties we
desire: multiplexing, performance, and isolation. To this end, we
are developing FastPaas, a NFV platform designed for multi-tenant
environments that provides OS-like constructs for memory and
performance isolation, resource allocation, state management, and
access control. To provide memory isolation, FastPaas leverages new
Intel CPU extensions (MPX) to create coarse-grained heap and stack
protection even for legacy code written in unsafe native languages
such as C. In addition, FastPaas seeks to process packets in a
run-to-completion manner, and uses programmable NIC offloads to
prevent batch fragmentation when processing complex service graphs.
Our preliminary evaluation shows the limitations of existing
techniques that require heavy weight memory isolation and incur
cross-core overheads.
}